Incorrect Authorization

The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

CVEs (3,046)

CVE VENDORS PRODUCTS UPDATED PUBLISHED CVSS
CVE-2025-21519 1Oracle 1Mysql Server Nov 3, 2025 Jan 21, 2025 N/A· v4 4.4 MEDIUM· v3 N/A· v2 Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Difficult to exploit...Show more Vulnerability in the MySQL Server product of Oracle MySQL (component: Server: Security: Privileges). Supported versions that are affected are 8.0.40 and prior, 8.4.3 and prior and 9.1.0 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Server. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Server. CVSS 3.1 Base Score 4.4 (Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:H).Show less
CVE-2025-21517 1Oracle 1Jd Edwards Enterpriseone Tools Mar 17, 2025 Jan 21, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows low privi...Show more Vulnerability in the JD Edwards EnterpriseOne Tools product of Oracle JD Edwards (component: Web Runtime SEC). Supported versions that are affected are Prior to 9.2.9.0. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise JD Edwards EnterpriseOne Tools. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of JD Edwards EnterpriseOne Tools accessible data. CVSS 3.1 Base Score 4.3 (Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).Show less
CVE-2025-21516 1Oracle 1E Business Suite Jun 23, 2025 Jan 21, 2025 N/A· v4 8.1 HIGH· v3 N/A· v2 Vulnerability in the Oracle Customer Care product of Oracle E-Business Suite (component: Service Requests). Supported versions that are affected are 12.2.5-12.2.13. Easily exploitable vulnerability allows low privileged...Show more Vulnerability in the Oracle Customer Care product of Oracle E-Business Suite (component: Service Requests). Supported versions that are affected are 12.2.5-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Customer Care. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Customer Care accessible data as well as unauthorized access to critical data or complete access to all Oracle Customer Care accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).Show less
CVE-2025-21506 1Oracle 1E Business Suite Jun 23, 2025 Jan 21, 2025 N/A· v4 8.1 HIGH· v3 N/A· v2 Vulnerability in the Oracle Project Foundation product of Oracle E-Business Suite (component: Technology Foundation). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low...Show more Vulnerability in the Oracle Project Foundation product of Oracle E-Business Suite (component: Technology Foundation). Supported versions that are affected are 12.2.3-12.2.13. Easily exploitable vulnerability allows low privileged attacker with network access via HTTP to compromise Oracle Project Foundation. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle Project Foundation accessible data as well as unauthorized access to critical data or complete access to all Oracle Project Foundation accessible data. CVSS 3.1 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N).Show less
CVE-2025-21502 3Debian NetappOracle 11Active Iq Unified Manager Bootstrap OsBrocade San Navigator+8 more Jun 18, 2025 Jan 21, 2025 N/A· v4 4.8 MEDIUM· v3 N/A· v2 Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25...Show more Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE (component: Hotspot). Supported versions that are affected are Oracle Java SE: 8u431-perf, 11.0.25, 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM for JDK: 17.0.13, 21.0.5, 23.0.1; Oracle GraalVM Enterprise Edition: 20.3.16 and 21.3.12. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data as well as unauthorized read access to a subset of Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition accessible data. Note: This vulnerability can be exploited by using APIs in the specified Component, e.g., through a web service which supplies data to the APIs. This vulnerability also applies to Java deployments, typically in clients running sandboxed Java Web Start applications or sandboxed Java applets, that load and run untrusted code (e.g., code that comes from the internet) and rely on the Java sandbox for security. CVSS 3.1 Base Score 4.8 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N).Show less
CVE-2024-51417 - - Feb 4, 2025 Jan 21, 2025 N/A· v4 6.4 MEDIUM· v3 N/A· v2 An issue in System.Linq.Dynamic.Core before 1.6.0 allows remote access to properties on reflection types and static properties/fields.
CVE-2025-24460 1Jetbrains 1Teamcity Jan 30, 2025 Jan 21, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 In JetBrains TeamCity before 2024.12.1 improper access control allowed to see Projects’ names in the agent pool
CVE-2025-0580 - - Jan 20, 2025 Jan 20, 2025 6.3 MEDIUM· v4 5.6 MEDIUM· v3 5.1 MEDIUM· v2 A vulnerability was found in Shiprocket Module 3 on OpenCart. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php?route=extension/module/rest_api&action=getOrders of...Show more A vulnerability was found in Shiprocket Module 3 on OpenCart. It has been rated as critical. Affected by this issue is some unknown functionality of the file /index.php?route=extension/module/rest_api&action=getOrders of the component REST API Module. The manipulation of the argument contentHash leads to incorrect authorization. The attack may be launched remotely. The complexity of an attack is rather high. The exploitation is known to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.Show less
CVE-2024-57032 1Wegia 1Wegia Mar 19, 2025 Jan 17, 2025 N/A· v4 9.8 CRITICAL· v3 N/A· v2 WeGIA < 3.2.0 is vulnerable to Incorrect Access Control in controle/control.php. The application does not validate the value of the old password, so it is possible to change the password by placing any value in the senha...Show more WeGIA < 3.2.0 is vulnerable to Incorrect Access Control in controle/control.php. The application does not validate the value of the old password, so it is possible to change the password by placing any value in the senha_antiga field.Show less
CVE-2024-53553 1Opexustech 1Foiaxpress Public Access Link Oct 29, 2025 Jan 16, 2025 N/A· v4 9.1 CRITICAL· v3 N/A· v2 An issue in OPEXUS FOIAXPRESS PUBLIC ACCESS LINK v11.1.0 allows attackers to bypass authentication via crafted web requests.
CVE-2024-57683 1Dlink 1Dir 816 Firmware May 2, 2025 Jan 16, 2025 N/A· v4 4.3 MEDIUM· v3 N/A· v2 An access control issue in the component websURLFilterAddDel of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the filter settings of the device via a crafted POST request.
CVE-2024-57681 1Dlink 1Dir 816 Firmware May 2, 2025 Jan 16, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 An access control issue in the component form2alg.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the agl service of the device via a crafted POST request.
CVE-2024-57680 1Dlink 1Dir 816 Firmware May 2, 2025 Jan 16, 2025 N/A· v4 5.3 MEDIUM· v3 N/A· v2 An access control issue in the component form2PortriggerRule.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the port trigger of the device via a crafted POST request.
CVE-2024-57679 1Dlink 1Dir 816 Firmware May 2, 2025 Jan 16, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An access control issue in the component form2RepeaterSetup.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G repeater service of the device via a crafted POST request.
CVE-2024-57678 1Dlink 1Dir 816 Firmware May 2, 2025 Jan 16, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An access control issue in the component form2WlAc.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G mac access control list of the device via a crafted POST request.
CVE-2024-57677 1Dlink 1Dir 816 Firmware May 2, 2025 Jan 16, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An access control issue in the component form2Wan.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the wan service of the device via a crafted POST request.
CVE-2024-57676 1Dlink 1Dir 816 Firmware May 2, 2025 Jan 16, 2025 N/A· v4 6.5 MEDIUM· v3 N/A· v2 An access control issue in the component form2WlanBasicSetup.cgi of D-Link 816A2_FWv1.10CNB05_R1B011D88210 allows unauthenticated attackers to set the 2.4G and 5G wlan service of the device via a crafted POST request.
CVE-2024-44136 1Apple 2Ipados Iphone Os Mar 22, 2025 Jan 15, 2025 N/A· v4 4.6 MEDIUM· v3 N/A· v2 This issue was addressed through improved state management. This issue is fixed in iOS 17.5 and iPadOS 17.5. An attacker with physical access to a device may be able to disable Stolen Device Protection.
CVE-2024-40771 1Apple 5Ipados Iphone OsMacos+2 more Apr 2, 2026 Jan 15, 2025 N/A· v4 7.8 HIGH· v3 N/A· v2 The issue was addressed with improved memory handling. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Monterey 12.7.5, macOS Sonoma 14.5, macOS Ventura 13.6.7, tvOS 17.5, visionOS 1....Show more The issue was addressed with improved memory handling. This issue is fixed in iOS 16.7.8 and iPadOS 16.7.8, iOS 17.5 and iPadOS 17.5, macOS Monterey 12.7.5, macOS Sonoma 14.5, macOS Ventura 13.6.7, tvOS 17.5, visionOS 1.2, watchOS 10.5. An app may be able to execute arbitrary code with kernel privileges.Show less
CVE-2025-21403 1Microsoft 1On Prem Data Gateway Jan 27, 2025 Jan 14, 2025 N/A· v4 6.4 MEDIUM· v3 N/A· v2 On-Premises Data Gateway Information Disclosure Vulnerability

Previous 1...555657...153 Next